Hackensack University Medical Center has a long-term strategy for information and access management that includes security, IT and the whole medical center community.


Hospital environments present complex security and patient data privacy and access issues that must be addressed by the security and information technology staff. At the core of Hackensack University Medical Center’s (HUMC) identity integration strategies is a mission to enable the highest levels of both quality of patient care and clinician productivity.

Most healthcare organizations see identity management as important due to regulatory compliance, reporting requirements and patient data privacy; but they struggle with implementing an identity management strategy that balances security with user convenience.

As HUMC began evaluating identity integration strategies, we decided to take a phased approach. We reviewed industry best practices and case studies of implementations. We decided to begin our identity integration initiative with single sign-on to help eliminate password problems, shorten logon times, enable sessions roaming and ensure accurate identity. This was a major step in our long-term identity and access management or IAM strategy, and provides a solid platform for achieving our overall goal. We are also expanding our initiative to include context management (for access between applications) and proximity badges. Eventually the medical center will include user provisioning and physical/logical integration to create a comprehensive integrated identity management infrastructure that enables location-based authentication to applications, networks and facilities all from a single user access policy.

For the first phase of our identity integration endeavors, HUMC selected Imprivata OneSign Single Sign-On (SSO) to provide easy and convenient access to clinical information without compromise to patient care. By eliminating password problems that were plaguing staff, OneSign SSO will reduce time physicians and nurses spend accessing applications and increase time spent with their patients. Since the medical center’s security policies require unique passwords for each of its separate clinical applications as well as password changes every 45 days, staff was quickly overwhelmed trying to keep track of each application’s regularly-changing password. Driven by a commitment to quality, HUMC’s security and IT sought a way to address this staff pain point by making it convenient to access critical patient records and information by reducing the number of necessary passwords.

Implementing best-of-breed products ensures we’re getting the best that’s available to us. We also believe in technologies that are based on open standards and do not require heavy adjustments to our existing infrastructure. Single Sign-On met those requirements and more, as its non-intrusive approach to learning each application and the fact that there were no changes required to Active Directory made it a perfect fit with our overall technical philosophy. The first phase of this project will also include a pilot of proximity badges and biometric readers, which enable clinicians and nurses to automatically log on and off computers in examination rooms. We’ll be looking at other technologies that follow suit as we further our integrated identity management strategy.

SIDEBAR: Hackensack University Medical Center

The Center is a nationally recognized 781-bed teaching and research hospital that provides the largest number of inpatient and outpatient services in New Jersey and is the fourth largest hospital in the nation based on admissions. The medical center is the recipient of numerous quality honors including being named one of the top 50 hospitals in the country by HealthGrades, the leading independent healthcare ratings company. HUMC is the only hospital in New Jersey, New York and New England to receive this honor.

SIDEBAR: Five Best Practices

  1. View Identity Management as Part of a Long-term Strategy: Integrating identity management brings with it a number of benefits from clinician and staff productivity to increased patient data security to improved patient care (the end-goal of any healthcare organization), but it is not a one-and-done action. Identity management needs to become a long-term strategy that is continuously reviewed and improved, with new technologies and policies considered and managed.

  2. Take a Phased Approach: Phasing in technologies into your overall strategy over time will enable employees to establish a comfort level while slowly adjusting their behavior. This will also enable you to stem concerns as users become familiar with new technologies, while also enabling you to take advantage of the latest and greatest functionality on the market.

  3. Understand the Trade-off Between Best-of-Breed vs. Integrated Suite: There are many options available to you, so take a close look at the differences between best-of-breed solutions and integrated suites. Best-of-breed products that utilize industry standards offer the clients with feature-rich functionality and tight integration into the existing infrastructures that is not found in integrated suites. Although an integrated suite may provide “one throat to choke,” functionality you could really use may be relegated to the drawing board for future products, locking you in even more. Be sure to understand your options clearly, and the future feature development paths of products.

  4. Call the Doctor to Get a Second Opinion: It’s critical to get senior-level endorsement and clinician involvement in the strategy and the deployment of the technologies. In addition to our nursing teams, Gerard A. Burns, MD CMIO (Chief Medical Informatics Officer) is part of the IT team and has been instrumental in the strategy and execution of our identity management initiatives, providing the relevant insight into how it will be received and utilized by clinicians and staff.

  5. Identify and Map Out a Comprehensive Password Policy: As the first step in many integrated identity management initiatives, password management is the key to a person’s identity in the realm of networks, application and access to data. Be sure to establish the right set of policies and procedures that the technology can feed off of and manage.